DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update

This research plan guides the exploitation of CVE-2026-4138, a Cross-Site Request Forgery (CSRF) vulnerability in the DX Unanswered Comments WordPress plugin.

1. Vulnerability Summary

The DX Unanswered Comments plugin (<= 1.7) fails to implement nonce validation when saving its administrative settings. Specifically, the logic within dxuc-unanswered-comments-admin-page.php processes POST requests to update the dxuc_authors_list and dxuc_comment_count options without verifying a cryptographic nonce (using check_admin_referer or wp_verify_nonce). This allows an attacker to modify plugin settings by tricking an authenticated administrator into clicking a link or visiting a malicious site that submits a forged POST request to the WordPress admin panel.

2. Attack Vector Analysis

• Vulnerable Endpoint: /wp-admin/options-general.php?page=dx-unanswered-comments (inferred slug based on plugin name).
• HTTP Method: POST
• Vulnerable Parameters: dxuc_authors_list, dxuc_comment_count.
• Authentication Level: Unauthenticated attacker (requires an authenticated Administrator to trigger the request).
• Preconditions: The plugin must be active, and the attacker must know or guess the settings page slug.

3. Code Flow (Inferred)

1. The plugin registers an options page using add_options_page() in the main plugin file, pointing to a callback function or an included file: dxuc-unanswered-comments-admin-page.php.
2. Within dxuc-unanswered-comments-admin-page.php, a code block checks if the form has been submitted:

   if ( isset( $_POST['some_submit_button_name'] ) ) { // Inferred trigger
       $authors = $_POST['dxuc_authors_list'];
       $count = $_POST['dxuc_comment_count'];
       update_option( 'dxuc_authors_list', $authors );
       update_option( 'dxuc_comment_count', $count );
   }
   

3. Because check_admin_referer() is missing before these update_option calls, any POST request containing these parameters will update the database if the user has the required capability (usually manage_options).

4. Nonce Acquisition Strategy

No nonce is required.
The vulnerability specifically exists because the plugin does not validate nonces. Therefore, the exploitation strategy focuses on demonstrating that a request succeeds without any _wpnonce or security parameter.

5. Exploitation Strategy

The goal is to update the plugin settings to malicious or arbitrary values as an authenticated administrator via the http_request tool.

Step 1: Discover the exact Page Slug and POST parameters

Use grep to find how the settings are saved in the affected file.

grep -rn "update_option" wp-content/plugins/dx-unanswered-comments/

Identify the "submit" trigger (e.g., a parameter like dxuc_save or simply the presence of the settings keys).

Step 2: Formulate the CSRF Request

The agent will simulate an administrator's browser session.

• URL: https://[target]/wp-admin/options-general.php?page=dx-unanswered-comments
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body (Example):
  dxuc_authors_list=1,2,3,4,5&dxuc_comment_count=999&dxuc_save=Submit (Note: dxuc_save is an inferred submit button name).

6. Test Data Setup

1. Install the Plugin: Use wp plugin install dx-unanswered-comments --version=1.7 --activate.
2. Verify Initial State:

   wp option get dxuc_authors_list
   wp option get dxuc_comment_count
   

3. Identify Administrator Session: The automated agent will use the provided administrator credentials to perform the http_request.

7. Expected Results

• The http_request should return a 200 OK or a 302 Found (redirecting back to the settings page).
• The response body should not contain any "Are you sure you want to do this?" (WordPress's default response to failed nonce checks).
• The database options dxuc_authors_list and dxuc_comment_count should reflect the values sent in the POST request.

8. Verification Steps

After sending the POST request, verify the changes using WP-CLI:

# Check if the authors list was updated to the payload value
wp option get dxuc_authors_list

# Check if the comment count was updated to the payload value
wp option get dxuc_comment_count

9. Alternative Approaches

If the plugin processes settings via the admin_init hook or admin-post.php instead of the direct page callback:

1. Search for add_action( 'admin_init', ... ) or add_action( 'admin_post_...', ... ).
2. Adjust the target URL to wp-admin/admin-post.php if an admin_post action is found.
3. If the plugin uses the Settings API (register_setting), the vulnerability is less likely unless the developer manually implemented the processing logic improperly in the admin page file. Focus on direct update_option calls in dxuc-unanswered-comments-admin-page.php.